rack-ssl-facebook 1.3.4

data/Gemfile

@@ -0,0 +1,3 @@
+source :gemcutter
+
+gem 'rack'

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2010 Joshua Peek
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,13 @@
+Rack::SSL
+=========
+
+Force SSL/TLS in your app.
+
+1. Redirects all "http" requests to "https"
+2. Set `Strict-Transport-Security` header
+3. Flag all cookies as "secure"
+
+Usage
+-----
+
+    use Rack::SSL

data/Rakefile

@@ -0,0 +1,48 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name              = "rack-ssl-facebook"
+    gem.summary           = "Force SSL/TLS in your app, preserving facebook's signed_request."
+    gem.description       = "Rack middleware to force SSL/TLS, preserving facebook's signed_request."
+    gem.email             = "mail@recursive-design.com"
+    gem.homepage          = "https://github.com/recurser/rack-ssl-facebook"
+    gem.authors           = ["Dave Perrett"]
+    gem.rubyforge_project = 'nowarning'
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'rake/testtask'
+task :default => :test
+Rake::TestTask.new do |t|
+  t.warning = true
+end
+
+def version
+  File.exist?('VERSION') ? File.read('VERSION') : ""
+end
+
+namespace :gem do  
+
+  desc 'Clean build products'
+  task :clean do
+    rm_f 'pkg'
+  end
+
+  desc 'Build the gem'
+  task :build => :clean do
+    system 'rake gemspec'
+    system 'rake build'
+  end
+
+  desc 'Push the gem to rubygems'
+  task :publish => [:clean, :build] do
+    system "gem push pkg/rack-ssl-facebook-#{version}.gem"
+  end
+  
+end

data/VERSION

@@ -0,0 +1 @@
+1.3.4

data/lib/rack/ssl_facebook.rb

@@ -0,0 +1,100 @@
+require 'rack'
+require 'rack/request'
+
+module Rack
+  class SSLFacebook
+    YEAR = 31536000
+
+    def self.default_hsts_options
+      { :expires => YEAR, :subdomains => false }
+    end
+
+    def initialize(app, options = {})
+      @app = app
+
+      @hsts = options[:hsts]
+      @hsts = {} if @hsts.nil? || @hsts == true
+      @hsts = self.class.default_hsts_options.merge(@hsts) if @hsts
+
+      @exclude = options[:exclude]
+      @host    = options[:host]
+      @port    = options[:port]
+    end
+
+    def call(env)
+      if @exclude && @exclude.call(env)
+        @app.call(env)
+      elsif scheme(env) == 'https'
+        status, headers, body = @app.call(env)
+        headers = hsts_headers.merge(headers)
+        flag_cookies_as_secure!(headers)
+        [status, headers, body]
+      else
+        redirect_to_https(env)
+      end
+    end
+
+    private
+      # Fixed in rack >= 1.3
+      def scheme(env)
+        if env['HTTPS'] == 'on'
+          'https'
+        elsif env['HTTP_X_FORWARDED_PROTO']
+          env['HTTP_X_FORWARDED_PROTO'].split(',')[0]
+        else
+          env['rack.url_scheme']
+        end
+      end
+
+      def redirect_to_https(env)
+        req        = Request.new(env)
+        url        = URI(req.url)
+        url.scheme = "https"
+        url.host   = @host if @host
+        url.port   = @port if @port
+        
+        # If a signed_request is present, append it to the query string.
+        if req.POST['signed_request']
+          if url.query.nil? or url.query.empty?
+            url.query = "signed_request=#{req.POST['signed_request']}"
+          else
+            url.query += "&signed_request=#{req.POST['signed_request']}"
+          end
+        end
+        
+        headers    = hsts_headers.merge('Content-Type' => 'text/html',
+                                        'Location'     => url.to_s)
+
+        [301, headers, []]
+      end
+
+      # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
+      def hsts_headers
+        if @hsts
+          value = "max-age=#{@hsts[:expires]}"
+          value += "; includeSubDomains" if @hsts[:subdomains]
+          { 'Strict-Transport-Security' => value }
+        else
+          {}
+        end
+      end
+
+      def flag_cookies_as_secure!(headers)
+        if cookies = headers['Set-Cookie']
+          # Rack 1.1's set_cookie_header! will sometimes wrap
+          # Set-Cookie in an array
+          unless cookies.respond_to?(:to_ary)
+            cookies = cookies.split("\n")
+          end
+
+          headers['Set-Cookie'] = cookies.map { |cookie|
+            if cookie !~ /; secure(;|$)/
+              "#{cookie}; secure"
+            else
+              cookie
+            end
+          }.join("\n")
+        end
+      end
+  end
+end

data/rack-ssl-facebook.gemspec

@@ -0,0 +1,47 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = "rack-ssl-facebook"
+  s.version = "1.3.4"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Dave Perrett"]
+  s.date = "2011-12-05"
+  s.description = "Rack middleware to force SSL/TLS, preserving facebook's signed_request."
+  s.email = "mail@recursive-design.com"
+  s.extra_rdoc_files = [
+    "LICENSE",
+    "README.md"
+  ]
+  s.files = [
+    "Gemfile",
+    "LICENSE",
+    "README.md",
+    "Rakefile",
+    "VERSION",
+    "lib/rack/ssl_facebook.rb",
+    "rack-ssl-facebook.gemspec",
+    "test/test_ssl.rb"
+  ]
+  s.homepage = "https://github.com/recurser/rack-ssl-facebook"
+  s.require_paths = ["lib"]
+  s.rubyforge_project = "nowarning"
+  s.rubygems_version = "1.8.11"
+  s.summary = "Force SSL/TLS in your app, preserving facebook's signed_request."
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<rack>, [">= 0"])
+    else
+      s.add_dependency(%q<rack>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<rack>, [">= 0"])
+  end
+end
+

data/test/test_ssl.rb

@@ -0,0 +1,169 @@
+require 'rack/ssl_facebook'
+
+require 'test/unit'
+require 'rack/test'
+
+class TestSSL < Test::Unit::TestCase
+  include Rack::Test::Methods
+
+  def default_app
+    lambda { |env|
+      headers = {'Content-Type' => "text/html"}
+      headers['Set-Cookie'] = "id=1; path=/\ntoken=abc; path=/; secure; HttpOnly"
+      [200, headers, ["OK"]]
+    }
+  end
+
+  def app
+    @app ||= Rack::SSLFacebook.new(default_app)
+  end
+  attr_writer :app
+
+  def test_allows_https_url
+    get "https://example.org/path?key=value"
+    assert last_response.ok?
+  end
+
+  def test_allows_https_proxy_header_url
+    get "http://example.org/", {}, 'HTTP_X_FORWARDED_PROTO' => "https"
+    assert last_response.ok?
+  end
+
+  def test_redirects_http_to_https
+    get "http://example.org/path?key=value"
+    assert last_response.redirect?
+    assert_equal "https://example.org/path?key=value",
+      last_response.headers['Location']
+  end
+
+  def test_exclude_from_redirect
+    self.app = Rack::SSLFacebook.new(default_app, :exclude => lambda { |env| true })
+    get "http://example.org/"
+    assert last_response.ok?
+  end
+
+  def test_hsts_header_by_default
+    get "https://example.org/"
+    assert_equal "max-age=31536000",
+      last_response.headers['Strict-Transport-Security']
+  end
+
+  def test_hsts_header
+    self.app = Rack::SSLFacebook.new(default_app, :hsts => true)
+    get "https://example.org/"
+    assert_equal "max-age=31536000",
+      last_response.headers['Strict-Transport-Security']
+  end
+
+  def test_disable_hsts_header
+    self.app = Rack::SSLFacebook.new(default_app, :hsts => false)
+    get "https://example.org/"
+    assert !last_response.headers['Strict-Transport-Security']
+  end
+
+  def test_hsts_expires
+    self.app = Rack::SSLFacebook.new(default_app, :hsts => { :expires => 500 })
+    get "https://example.org/"
+    assert_equal "max-age=500",
+      last_response.headers['Strict-Transport-Security']
+  end
+
+  def test_hsts_include_subdomains
+    self.app = Rack::SSLFacebook.new(default_app, :hsts => { :subdomains => true })
+    get "https://example.org/"
+    assert_equal "max-age=31536000; includeSubDomains",
+      last_response.headers['Strict-Transport-Security']
+  end
+
+  def test_flag_cookies_as_secure
+    get "https://example.org/"
+    assert_equal ["id=1; path=/; secure", "token=abc; path=/; secure; HttpOnly" ],
+      last_response.headers['Set-Cookie'].split("\n")
+  end
+
+  def test_flag_cookies_as_secure_at_end_of_line
+    self.app = Rack::SSLFacebook.new(lambda { |env|
+      headers = {
+        'Content-Type' => "text/html",
+        'Set-Cookie' => "problem=def; path=/; HttpOnly; secure"
+      }
+      [200, headers, ["OK"]]
+    })
+
+    get "https://example.org/"
+    assert_equal ["problem=def; path=/; HttpOnly; secure"],
+      last_response.headers['Set-Cookie'].split("\n")
+  end
+
+  def test_legacy_array_headers
+    self.app = Rack::SSLFacebook.new(lambda { |env|
+      headers = {
+        'Content-Type' => "text/html",
+        'Set-Cookie' => ["id=1; path=/", "token=abc; path=/; HttpOnly"]
+      }
+      [200, headers, ["OK"]]
+    })
+
+    get "https://example.org/"
+    assert_equal ["id=1; path=/; secure", "token=abc; path=/; HttpOnly; secure"],
+      last_response.headers['Set-Cookie'].split("\n")
+  end
+
+  def test_no_cookies
+    self.app = Rack::SSLFacebook.new(lambda { |env|
+      [200, {'Content-Type' => "text/html"}, ["OK"]]
+    })
+    get "https://example.org/"
+    assert !last_response.headers['Set-Cookie']
+  end
+
+  def test_redirect_to_host
+    self.app = Rack::SSLFacebook.new(default_app, :host => "ssl.example.org")
+    get "http://example.org/path?key=value"
+    assert_equal "https://ssl.example.org/path?key=value",
+      last_response.headers['Location']
+  end
+
+  def test_redirect_to_port
+    self.app = Rack::SSLFacebook.new(default_app, :port => 8443)
+    get "http://example.org/path?key=value"
+    assert_equal "https://example.org:8443/path?key=value",
+      last_response.headers['Location']
+  end
+
+  def test_redirect_to_host_and_port
+    self.app = Rack::SSLFacebook.new(default_app, :host => "ssl.example.org", :port => 8443)
+    get "http://example.org/path?key=value"
+    assert_equal "https://ssl.example.org:8443/path?key=value",
+      last_response.headers['Location']
+  end
+
+  def test_redirect_to_secure_host_when_on_subdomain
+    self.app = Rack::SSLFacebook.new(default_app, :host => "ssl.example.org")
+    get "http://ssl.example.org/path?key=value"
+    assert_equal "https://ssl.example.org/path?key=value",
+      last_response.headers['Location']
+  end
+
+  def test_redirect_to_secure_subdomain_when_on_deep_subdomain
+    self.app = Rack::SSLFacebook.new(default_app, :host => "example.co.uk")
+    get "http://double.rainbow.what.does.it.mean.example.co.uk/path?key=value"
+    assert_equal "https://example.co.uk/path?key=value",
+      last_response.headers['Location']
+  end
+
+  def test_redirect_with_signed_request
+    self.app = Rack::SSLFacebook.new(default_app, :host => "ssl.example.org")
+    post "http://example.org/path", {:signed_request => '1234'}
+    assert_equal "https://ssl.example.org/path?signed_request=1234",
+      last_response.headers['Location']
+  end
+
+  def test_redirect_with_signed_request_multi_params
+    self.app = Rack::SSLFacebook.new(default_app, :host => "ssl.example.org")
+    post "http://example.org/path?key=value", {:signed_request => '1234'}
+    assert_equal "https://ssl.example.org/path?key=value&signed_request=1234",
+      last_response.headers['Location']
+  end
+  
+end

metadata

@@ -0,0 +1,65 @@
+--- !ruby/object:Gem::Specification
+name: rack-ssl-facebook
+version: !ruby/object:Gem::Version
+  version: 1.3.4
+  prerelease: 
+platform: ruby
+authors:
+- Dave Perrett
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-12-05 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: &70095368008140 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70095368008140
+description: Rack middleware to force SSL/TLS, preserving facebook's signed_request.
+email: mail@recursive-design.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- LICENSE
+- README.md
+files:
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- VERSION
+- lib/rack/ssl_facebook.rb
+- rack-ssl-facebook.gemspec
+- test/test_ssl.rb
+homepage: https://github.com/recurser/rack-ssl-facebook
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: nowarning
+rubygems_version: 1.8.11
+signing_key: 
+specification_version: 3
+summary: Force SSL/TLS in your app, preserving facebook's signed_request.
+test_files: []